Automating The Windows Software Installation Process Dan Gorrell

Automating The Windows Software Installation Process Dan Gorrell Network Administrator S. J. Quinney College of Law University of Utah gorrelld@law. utah. edu (801)587 -7957

The 1 L Software Shuffle n n n 150 -200 new students each year Each new student needs standard law-school applications to be installed. (Printing Account Client, Antivirus, Research Software) Each application needs to be installed and configured identically Students are generally unaware of installation procedures and best practices. Students bring a wide variety of existing hardware and software to the table

Additional Changes, As Needed n n Existing applications may need to be upgraded or patched New applications may be added to the “Law School Suite” of applications Software may need to be removed from student laptops Instead of 150 -200 new students, we are dealing with the entire student population

To complicate things further n n While students may use their laptops under restricted user contexts, applications often require administrative rights to install Applications often require file and registry security tweaks to run properly under restricted user accounts Law students are not generally able to perform these tweaks themselves What happens when a law student decides to “clean their hard drive” and deletes application critical files or settings?

Typical “Solutions” n n n Install each application by hand (20 -30 minutes per student) Apply patches manually, as problems arise Repair applications as students break them, usually by reinstalling them Script as many of these operations as possible and create new scripts to deal with problems as they surface Do your best to educate students and hope they get it right

The Ideal Solution n n n Software would be installed automatically Every installation would be identical Essential files and registry keys would be replaced if the user deleted them Security settings on files and registry keys would be set as a part of the installation process Software would be updated automatically If needed, software would be removed automatically (Software could be there, and back again)

So how do we get there? n n Windows Installer MSI based installation packages Installations, upgrades, and rollbacks will be managed centrally via Group Policy As a further point of interest, all of these technologies are FREE, assuming that your clients are running a professional version of Windows and you are running Active Directory on your network. If not, you can still use a subset of these features, but you won’t get the “Ideal Solution”

Windows Installer n n Windows Installer runs as a service on a user’s computer and provides a plethora of new options to deal with these problems Windows Installer installs software contained in MSI packages Windows Installer can allow restricted users to install software under a temporarily elevated user context Windows Installer provides “self healing” capabilities to your MSI-based applications

Configuring Windows Installer n n n Windows Installer doesn’t require special configuration to work. It just needs to be running If a laptop is up to date, and if the student hasn’t disabled it, it should be there The latest version (2. 0) can be downloaded from Microsoft’s website 95, 98, ME - http: //www. microsoft. com/downloads/details. aspx? displaylang=en&Family. ID=CEBBACD 8 -C 094 -4255 -B 702 -DE 3 BB 768148 F NT and 2000 - http: //www. microsoft. com/downloads/details. aspx? Family. ID=4 b 6140 f 9 -2 d 36 -4977 -8 fa 1 -6 f 8 a 0 f 5 dca 8 f&Display. Lang=en XP – Windows Installer 2. 0 is included

MSI Files n n MSI Files are the “new breed” of setup files… they improve on “setup. exe” MSI Files are actually database files that contain information about every file, registry key, and. INI manipulation that needs to be in place for a piece of software to install properly MSI files can also contain information about what security settings need to be implemented for these files and registry keys MSI files are “open” and a wide variety of tools are available to help you work with them

Vendor Supplied MSI Files n n n Since their debut in Office 2000, MSI files have been increasingly used by vendors to deliver Windows applications As such, many of the applications you want to deliver to your students may already have the necessary MSI files Depending on the complexity of the application, you may need to tweak the MSI file to install the way you want it to

A Simple MSI: Adobe Reader 6. 0 n n n The installation process for Adobe Reader is really quite simple The only option that can be configured during installation is the program folder The default program folder is probably acceptable so we don’t need to tweak this MSI at all to use it in our environment

Installing an MSI in “Silent Mode” n n Installing an application in “Silent Mode” can help you determine if it will deploy properly or if it needs additional tweaking The following command will install our Adobe Reader MSI in “Silent Mode” msiexec /i “Adobe Reader 6. 0. msi” /q n If your application runs properly after being installed in “Silent Mode”, chances are it will work well with our software deployment solution (be sure to test ALL of the features of the program)

A Trickier MSI: NAI Virus. Scan 7. 0 n n n NAI also ships an MSI file with their Virus. Scan product Their installation has quite a few more options than Adobe’s did Chances are that you will want to customize this installation before deploying it to your students

Configuring Virus. Scan Manually During the installation process, we are required to enter the following information, n n n License Type License Acceptance Region Setup Type Desired Components Alert Manager Information n n Repository Locations Scanning Preferences Start-Menu Options System Tray Options Password Options

And Virus. Scan STILL Isn’t Configured! n n After all of this, we are pretty close to where we want to be, but… We haven’t scheduled DAT file updates We haven’t scheduled any full-system scans We are deploying ancient DAT files, though we do perform an update after installation

Remember, MSI Files are “Open” n n Because MSI is an “Open” installation method, vendors can supply their own tools for customizing their MSI files Whenever deploying an application, check the documentation to see if such tools exist Fortunately for us, Mc. Afee/NAI does provide such a tool The NAI Installation Designer application allows us to create a customized MSI package that will install exactly as we want

A Vendor Supplied MSI Customization Tool

Testing Our Custom MSI n As we did with Adobe Reader, we will want to test our MSI by running a “Silent Install” to determine if it works or not msiexec /i vse 700. msi /q n Doing so shows that our MSI installs properly and with our custom settings and so we are ready to deploy this application

If There Are No Vendor Tools n n n If the vendor of your application does not supply tools for customizing their MSI, you can still do so, but it is trickier A number of tools exist, some of which are free, that allow direct editing of MSI files Let’s take a look at two of them, Microsoft’s Orca, and Win. Install LE by On. Demand Software

Microsoft Orca

On. Demand Software’s Winstall LE

One Final Note On Vendor MSIs n n Many vendor supplied MSI files require you to do an “administrative install” of the MSI before deploying it to users Administrative installs reorganize files into a format better suited to network installations They may also allow you to “hard-code” licensing information into the MSI Check with your vendor to see if this is required for your particular application

What if there is no MSI? Legacy applications n Applications without a vendor supplied MSI package n Custom applications developed “in house”, or by a contractor n

Grow Your Own (MSI) n n n Legacy application installation methods can be used to create an MSI package through a process called repackaging Repackaging generally involves taking a “before” snapshot of a system, installing a piece of software, configuring it to work the way you want and taking an “after” snapshot The two snapshots are then compared and the deltas are saved in an MSI package

Repackaging Best Practices n n n Start with a clean machine – Windows only Close all other programs, including antivirus Do not do anything between snapshots except for configuring the software Go through the created MSI with an editor and clean out anything that is not related to your application Do not repackage an application if the vendor has already supplied an MSI file Repackage one application at a time

Repackaging With Win. Install LE n n Download and install the latest version (2003) of Win. Install LE on the machine that you will later use to edit your MSI file www. ondemandsoftware. com Copy Discoz. exe from the applications program folder onto your MSI creation machine Alternatively, you could map to a network drive that contains Discoz. exe Run Discoz. exe to begin the repackaging process

After The “Before” Snapshot n n After the “Before” snapshot completes you can install your application You can also perform any custom configuration that you would like to deliver to your end user So long as the configuration data is stored in a file, registry key, or. INI file, it will be included in your deployed application When you are finished, run Discoz. exe again to take an “After” snapshot

After The “After” Snapshot n n Once the “After” snapshot completes, your basic MSI is ready to fine tune and deploy It is a good idea to open the MSI in Win. Install LE, or some other MSI editor and verify that nothing unrelated was included in the package While you are there, you can also specify which files are vital to your application and should be “self-healing” and which shouldn’t You can specify the user permissions that should be set on each of the files and registry keys via their property sheet in Win. Install LE

Testing Your Home Grown MSI n n When repackaging software, it is especially important to test all of the software’s features to make sure they work properly Repackaged software (generally) doesn’t require user interaction and so doubleclicking the MSI is as good a test as a “quite install”

Group Policy n n Group policy allows you to push software out to individual users or computers Group policy works with Windows Installer to install your software automatically and in an elevated security context Group policy can push out upgrades and patches to keep your software current Group policy can also “pull back” software when it is no longer required

Configuring Group Policy To Deploy An MSI Package 1. 2. 3. 4. 5. 6. 7. Open “Active Directory Users And Computers” on a domain controller Right click on the OU that contains the machines you want to deploy the software to and hit properties Select the “Group Policy” tab and hit “New” Name your new policy whatever suits you best and open its properties Expand “Computer Configuration”, then “Software Settings”, right click on “Software Installation” and hit New->Package Then browse to the location of the MSI file that you want to deploy and select it. (Use a UNC path accessible to your clients) Select “Assigned” in the dialog box that appears and hit “Ok”

Group Policy / MSI Deployment Demonstration

To Learn More Check Out n n n The Definitive Guide To Windows Installer Technology For System Administrators http: //www. wise. com/ebook Windows Installer SDK http: //www. microsoft. com/msdownload/pl atformsdk/sdkupdate/ App. Deploy Website’s FAQ’s and Articles http: //www. appdeploy. com